The protection of information and secrets over a network requires the use of secure methods to add new devices to the network. It is possible to breach network security and gain access to network information and secrets through interfering with the registration process of devices with the network. One method of interfering with the registration of network devices is through interjecting an imposter device into the registration process. If this imposter device can successfully pose as the legitimate device during the registration process, then it is possible for the imposter device to register with the network and masquerade as the legitimate device. As a result, the imposter device can gain access to the information and secrets stored on the network. It is therefore desirable to develop methods and systems that can provide a secure method for registering a device with a network.
A variety of methods and systems are known to facilitate communications between two devices. One such protocol is the Diffie-Hellman key agreement protocol. The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman in 1976 and published in the paper “New Directions in Cryptography.”
The protocol allows two users to establish a secret key over an insecure medium without any prior secrets. The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, which is capable of generating every element from 1 to p−1 when multiplied by itself a certain number of times, modulo the prime p. The protocol depends on the discrete logarithm problem for its security. It assumes that it is computationally infeasible to calculate the shared secret key k=gab mod p given the two public values ga mod p and gb mod p when the prime p is sufficiently large. Breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms under certain assumptions.
Another system is the Point-to-Point Protocol (PPP) Extensible Authentication Protocol (EAP). EAP is a general system for PPP authentication that is compatible with a variety of authentication mechanisms. EAP does not select a specific authentication mechanism at a Link Control Phase, but rather postpones this selection until an Authentication Phase. This postponement enables the authenticator to request more information prior to determining the specific authentication mechanism. In addition, this postponement also enables the use of a “back-end” server that actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.
RSA is yet another protocol system that provides an algorithm for public key cryptography. The “key” of an RSA cipher has three numbers: the first is the public exponent, the second is the private exponent, and the third is the modulus. The public key is formed from the public exponent and the modulus. The private key is formed from the private exponent and modulus. If two devices are to engage in encrypted communications, they each generate a pair of keys. These devices then may exchange public keys using a non-secure communications channel. Thereafter, when the devices engage in encrypted communications, one device can encrypt the message using the other devices' public key and send it via a non-secure channel. Since the private keys are not exchanged, decryption by an eves dropper proves difficult.
Consider the case of a wireless network with an access point in infrastructure mode. Suppose a user buys a wireless printer and wants to connect the printer to the network. If Wi-Fi Protected Access (WPA) is enabled on the access point, the user has a variety of options for setting up a secure connection between the access point and printer.
The user can install a WPA pre-shared key on the access point and on the printer. Note that pre-shared keys are not device-specific. Also, multiple devices may utilize the same pre-shared key to connect to an access point. Alternatively, if the access point is a client to a Remote Authentication Dial in User Server (RADIUS), or includes the capabilities of a RADIUS server, the printer name and credentials can be added to the RADIUS server database. A RADIUS server is used to authenticate and return parameters including the users IP address, gateway, and DNS server. The printer credentials must also be installed on the printer. The credentials may be a password, key, or certificate. The RADIUS server and printer are also configured to perform the same type of EAP authentication, with the printer acting as the supplicant.